Level up your business security with free, on-demand training and certification. Explore 1Password Academy today →
Forum Discussion
Show the requested credential
I'm heavily using 1password now for agentic usage. All of my business is set up on it now, and all of my credentials are locally using op://, or service accounts.
I've put in a lot of effort to try and isolate systems using least privilege, but one problem is that when agents (or applications) request a credential from the system, it doesn't say WHAT credential is being requested.
Half the time it doesn't even say the correct name for the application making the request, either.
This is a big problem, because I'm starting to get into the habit of just spamming "Accept" blindly. But the whole reason I have set up this whole pipeline is so I can catch malicious programs trying to gain access - for example, supply chain attack infections.
Without seeing what credential is being requested, and the process information that is requesting it, I'm finding it's not actually adding much protection at all, because it's putting me into a false sense of security and promoting bad habits. If I'm running multiple agents in parallel, which is often the case, it might just say "Terminal requests access to your vault" or something similar. Which terminal is that? What is the underlying entity being requested? What credential? What is the process ID or terminal title, so I can isolate it to a terminal/agent? Etc.
I think this is something that urgently needs to be added. Otherwise, as it stands, it's not really offering much protection because users will just go "oh, it's probably just that agent running - I'm sure it's fine" and accept everything. If that agent happened to have installed a malicious npm package, you'd probably catch it too late.
2 Replies
1P_GemModerator
Hi nbio, thanks for taking the time to share your feedback.
I can definitely understand how this is an important improvement that would allow users to make more informed security decisions about what is actually being authorised. I've filed a feature request with the team, with all of the details you've provided here.
CFP=19972
Thanks 1P_Gem - Another idea I had, if we had the ability to pass a string into the op line that might help as well. so if it's like op://vault/item/key?message=Requesting+the+key+for+... - and that can be displayed in the dialog.
Furthermore, I think one key issue with this is the the security boundaries can't be changed to item only. I.e., you can configure it to approve only specific items being read and unlocked for a time period, instead of entire vaults or the whole account being unlocked for a time period.
